From 90c94238301b5d208461f810021e572a9b06e8e7 Mon Sep 17 00:00:00 2001
From: jordan <jordan@0cfe37f9-358a-4d5e-be75-b63607b5c754>
Date: Mon, 27 Dec 2010 01:05:49 +0000
Subject: [PATCH] Fixing bug 482 in a way we escape all passed from URL
 parameters.

git-svn-id: http://svn.osqa.net/svnroot/osqa/trunk@630 0cfe37f9-358a-4d5e-be75-b63607b5c754
---
 forum/utils/pagination.py | 10 +++++-----
 forum/views/readers.py    |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/forum/utils/pagination.py b/forum/utils/pagination.py
index 4a3ebd6..1d36b42 100644
--- a/forum/utils/pagination.py
+++ b/forum/utils/pagination.py
@@ -6,7 +6,7 @@ from django.utils.translation import ugettext as _
 from django.http import Http404
 from django.utils.http import urlquote
 from django.utils.safestring import mark_safe
-from django.utils.html import strip_tags
+from django.utils.html import strip_tags, escape
 from forum.utils.html import sanitize_html
 import logging
 
@@ -273,9 +273,9 @@ def _paginated(request, objects, context):
     if pagesize:
         def page_sizes():
             if sort:
-                url_builder = lambda s: mark_safe("%s%s%s=%s&%s=%s" % (base_path, url_joiner, context.SORT, sort, context.PAGESIZE, s))
+                url_builder = lambda s: mark_safe("%s%s%s=%s&%s=%s" % (escape(base_path), url_joiner, context.SORT, sort, context.PAGESIZE, s))
             else:
-                url_builder = lambda s: mark_safe("%s%s%s=%s" % (base_path, url_joiner, context.PAGESIZE, s))
+                url_builder = lambda s: mark_safe("%s%s%s=%s" % (escape(base_path), url_joiner, context.PAGESIZE, s))
 
             sizes = [(s, url_builder(s)) for s in context.pagesizes]
 
@@ -290,7 +290,7 @@ def _paginated(request, objects, context):
 
     if sort:
         def sort_tabs():
-            url_builder = lambda s: mark_safe("%s%s%s=%s" % (base_path, url_joiner, context.SORT, s))
+            url_builder = lambda s: mark_safe("%s%s%s=%s" % (escape(base_path), url_joiner, context.SORT, s))
             sorts = [(n, s.label, url_builder(n), strip_tags(s.description)) for n, s in context.sort_methods.items()]
 
             for name, label, url, descr in sorts:
@@ -310,4 +310,4 @@ def _paginated(request, objects, context):
 
     context.set_preferences(request, session_prefs)
     objects.paginator = paginator
-    return objects
\ No newline at end of file
+    return objects
diff --git a/forum/views/readers.py b/forum/views/readers.py
index 8e641bf..fbc0ed1 100644
--- a/forum/views/readers.py
+++ b/forum/views/readers.py
@@ -167,7 +167,7 @@ def question_list(request, initial,
         if req_params:
             req_params = '&' + req_params
 
-        feed_url = mark_safe(request.path + "?type=rss" + req_params)
+        feed_url = mark_safe(escape(request.path + "?type=rss" + req_params))
 
     return pagination.paginated(request, ('questions', paginator_context or QuestionListPaginatorContext()), {
     "questions" : questions.distinct(),
-- 
2.45.2